Packet sniffing.
Results 1 to 10 of 14

Thread: Packet sniffing.

Hybrid View

  1. #1

    Packet sniffing.

    A packet sniffer is a wiretap that eavesdrops network traffic.

    Now as you have read in the TCP tutorial packets travel through the internet individualy. They contain lots of info. Once it hits the wires it is mere pulses. Most packet sniffers work at the ethernetnet level of the network.
    Ethernet defines the way the data gets transmitted and sniffers catch this.
    Ethernet actually uses sublayers to transmit data.
    The physical takes care of the wires.
    The logical retransmits data if neccesary.
    The MAC is responsible for the formating of the data once it hits the wires.
    Now you have probably heard the term MAC before but what exactly is it?
    MAC stands for Media Acces Control. Your ethernet adapter has an ethernet (mac) address.
    In windows you can check this by typing 'winipcfg' from a run box and choosing the appropriate network adapter (ipconfig /all for NT). This adress is a 48 bit number, displayed in Hex. The number is divided into two sections and should provide a unique adress for every network adapter.
    The first halve identifies the manufacturer of the NIC and the second provides a serial number.
    Now once an ethernet packet enters the wires it contains the following data:
    Source MAC
    Destination MAC
    :HEX code:
    IP packet
    CRC

    Explanation follows:

    Simple.

    The source and destination MAC should be clear.
    The HEX code contains hexidecimal values so that the recieving computer knows what to do with it.

    /*note: ethernet works with different protocols like netbeui and ipx/spx
    The IP packet is the incapsulated "".
    CRC, Webopedia says this:
    Abbreviation of cyclic redundancy check, a common technique for detecting data transmission errors.

    More.

    TCP/IP decides, after negotiation, how to transmit data and then turns packets over to ethernet. Ethernet puts the right wrappings around it and sends it to the next destination. Once a packet hits the next destination, ethernet deciphers it and hands over control to the appropriate protocol. It might be forwarded, the protocol decides.
    The Adres Resolution Protocol which is defined in: (rfc's are available from rfc-editor.org) might be worth checking out.
    Typing arp -a from a command prompt gives you some information too.

    So once a packet hits the ethernet wires it looks like this:
    [ethernet[ip[tcp]]].
    Packets vary in size. Sniffing on complete packets would not be a logic thing to do.
    There are various reason you would like to sniff the network:
    - Intrusion detection
    - Network fault analysis
    - Spying on conversation
    - Stealing passwords
    - Curiosity
    Now normally when your box recieves a packet that should be forwarded that is the only thing done. A sniffer will capture data for analysis and send it through to the destination anyway. That makes it hard to detect sniffer attacks. A good placed sniffer can collect tons of valuable information. You could for example use a sniffer to find out what data you transmit to MS when you use update.
    Now any good sniffer will decode the packets it filters for you and give you somewhat readable text. It will help you a great deal if you know your way around the various numbersystems as well as ascii.

    To use a sniffer to attack somebody you will have to break in on the conversation somewhere.
    That means either the victim or the victims ISP's computer.
    Setting up an ICMP redirect could also do the trick.

    Different protocols send passwords in clear text over the wires. These include:
    Ftp
    Telnet/rlogin
    Http
    POP.

    Now to get you started you could get Windump which is the Windows porting off the popular Unix based Tcpdump.
    Windump is available from http://windump.polito.it
    It comes as source code distribution as well as binary.
    Read the online manual for the parameters.
    For a quick start 'windump -D (gives you available adapters)
    windump -i 1 (starts windump with the first listed adapter)

    Now after you capture packets you will have to use some sort of protocol analyzer to decode it.
    Some sniffers include these where others do not.



    Here come some sources where you can obtain packet-sniffers (msdos/windows):

    ethereal: http://www.ethereal.com/
    etherpeek: http://www.wildpackets.com/
    gobbler: http://nmrc.org/files/msdos/gobbler.zip
    ethload: ftp://ftp.simtel.net/pub/simtelnet/m...n/ethld200.izp

    (linux):
    tcpdump: http://www.tcpdump.org/
    LinSniff: http://packetstorm.securify.com/

    There are lots more but this will get you going.

    Recommended reading:

    RFC's
    TCP illustrated.
    OSI referance.
    sniffing-faq.html

    That concludes it.
    Note that this was written to give a primer on the workings off packetsniffing.
    I do not encourage illegal activity nor take responsibility for actions taken after reading this text.


    noODle
    Share on Google+

  2. #2
    Junior Member
    Join Date
    Nov 2005
    Posts
    3
    msmittens would you kindly help on installing the ettercap
    Share on Google+

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Posts
    744
    Quote Originally Posted by phoenixBIT View Post
    msmittens would you kindly help on installing the ettercap
    Is she even around anymore?
    Every now and then, one of you won't annoy me.
    Share on Google+

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Is she even around anymore?
    Drops in now and again AFAIK.

    @ e0s

    Please start a new thread. This is the Tutorials Forum, which is not the place to seek the advice you need. Basically, the people who might know won't read it

    Please supply hardware and OS details.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?
    Share on Google+

  5. #5
    HYBR|D
    Guest
    Sigh.

    Topic closed.
    Share on Google+

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Wow. This is an old thread.. Phoenix: what are you installing on?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage
    Share on Google+

  7. #7
    Junior Member
    Join Date
    Apr 2011
    Posts
    2
    Hello, I am new, bringing the post back from the dead if it's alright, rather than make a new one..I've got Ettercap running on one machine in my LAN lab. Basically the lan is 2 hosts connected to a switch which is connected to a router that can go to another network. When I use the command sudo ettercap -i eth0 -T -M ARP /10.0.0.1/ /10.0.0.7/ .1 being the default gateway and .7 being the other machine on the lan. When running the command I am only getting these packets: UDP 10.0.0.1:520 --> 255.255.255.255:520 looks like some kind of layer 3 broadcast address from the dg..wondering what I need to do to get this working as I am new...I've tried dumping the arp cache on both router and host and still nothing...thanks for the help...and shoutout to irongeek for the tut
    Share on Google+

  8. #8
    Junior Member
    Join Date
    Apr 2011
    Posts
    2
    bump
    Share on Google+

  9. #9
    Senior Member
    Join Date
    Jul 2002
    Posts
    744
    @eos

    Don't listen to nihil, he's just a mod, post where you want, ignore the limits!
    Every now and then, one of you won't annoy me.
    Share on Google+

  10. #10
    Senior Member
    Join Date
    Sep 2001
    Posts
    534
    good information, thanks for posting this tutorial.
    A laptop, internet connection and beer.
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides